Sunday, December 28, 2008

Microsoft confirms it's been working on SQL Server bug since April

Microsoft Corp. today confirmed that it has been working on a critical vulnerability in SQL Server for more than eight months, but declined to say whether it has had a patch ready since September, as an Austrian security researcher has alleged.

On Monday, the company warned customers of a bug that could be used to compromise servers running older versions of the database software, which is widely used to power Web sites and applications.

"Microsoft opened an investigation for this vulnerability in April upon the initial report by the security researcher," said a company spokesman in an e-mail today. "We immediately started an investigation and have been working on this issue since that time," he added.

The researcher, Bernhard Mueller of SEC Consult Security, a Vienna-based security consulting company, went public with details of the vulnerability as well as an exploit code on Dec. 9, apparently after tiring of Microsoft's lack of communication.

According to Mueller, who posted findings in an advisory on the SEC Consult site, as well as to prominent security mailing lists, the bug was reported to Microsoft on April 17, 2008, and Microsoft's last message to him was on Sept. 29. After four requests for an update on a patch's status during October and November, Mueller disclosed the vulnerability.

Mueller also said that Microsoft had informed him in September that it had completed a fix.

The Microsoft spokesman didn't directly respond to a question about whether the company had a patch in hand, as Mueller claimed, but instead said, "At this time, security updates are not available for the affected versions listed in Microsoft Security Advisory 961040."

Although it is true that Microsoft has not yet issued an update to the affected software -- which includes SQL Server 2000, SQL Server 2005, SQL Server 2005 Express Edition, SQL Server 2000 Desktop Engine, Microsoft SQL Server 2000 Desktop Engine and Windows Internal Database -- one security expert said he's betting that the company will release one soon.

Tuesday, November 11, 2008

Internals of SQL Cluster Setup and Troubleshooting Tips

Unlike Exchange Cluster Setup process, SQL Cluster Setup process is not tricky. You just click on next and finish the setup. The purpose of this article series is to explain the internals of the SQL Cluster Setup. The Setup process executes couple of functions from its Setup DLL. These functions are internal to SQL Setup and are never exposed to the user running the setup. The functions it executes are used to decide whether SQL Setup should install the SQL Database Instance in a stand-alone environment or in a cluster environment.

SQL Server Setup Functions
How does SQL Server cluster setup configure a second node to be cluster-aware?
What all-registry entries are created during the setup and their importance in a SQL Cluster environment?
I will start with the first topic mentioned in the above list.

SQL Server Setup Functions
SQL Setup mainly uses the SQLCluster.DLL from its BINN Directory to execute the following functions in it: DoSQLClusterSetUpWork

Wednesday, October 15, 2008

Introduction to Policy-Based Management in SQL Server 2008

New to SQL Server 2008 is Policy-Based Management. This new technology allows for defining polices to ensure your database guidelines are met. In this article, SQL Server consultant Tim Chapman gives an overview of this new technology.


Policy-Based Management in SQL Server 2008 allows the database administrator to define policies that tie to database instances and objects. These policies allow the Database Administrator (DBA) to specify rules for which objects and their properties are created, or modified. An example of this would be to create a database-level policy that disallows the AutoShrink property to be enabled for a database. Another example would be a policy that ensures the name of all table triggers created on a database table begins with tr_.

As with any new SQL Server technology (or Microsoft technology in general), there is a new object naming nomenclature associated with Policy-Based Management. Below is a listing of some of the new base objects.

PolicyA Policy is a set of conditions specified on the facets of a target. In other words, a Policy is basically a set of rules specified for properties of database or server objects.

TargetA Target is an object that is managed by Policy-Based Management. Includes objects such as the database instance, a database, table, stored procedure, trigger, or index.

FacetA Facet is a property of an object (target) that can be involved in Policy Based Management. An example of a Facet is the name of a Trigger or the AutoShrink property of a database.

Monday, August 25, 2008

Microsoft's SQL Injection Protection

Homer Simpson may have enjoyed his hot beef injections (for Homer these were hot dogs), but he would be far less fond of SQL injections, attacks upon SQL Server that can cripple Web sites.

Many with SQL Server also have IIS, which is why Microsoft is beefing up IIS with SQL Injection protections. The new filter against these attacks is free and available now.

From all indications Small Business Server 2003 was a fine product -- easy to set up, easy to use and boasting many essential business features. As I recall, the only drawback was if your company outgrew the SBS product, it was hard to move up gracefully.

The new version of the server, SBS 2008, is now in the hands of hardware makers who expect to have it bundled up by November. I guess they want to take their time and get it perfect.

Do you use SBS? What do you like and what don’t you? Answers welcome at

Saturday, July 12, 2008

Slam these SQL Injection Attacks!

In January 2003, the Microsoft SQL Server community got a massive wake-up call. The SQL Slammer hit the internet. This denial-of-service virus brought down many database servers including those at Bank of America and Microsoft itself. The solution was to apply SQL Server 2000 SP3 which by pure coincidence had been released 10 days earlier. The actual hotfix had been available for 6 months or more but in those days many DBAs just waited for the next Service Pack. Big mistake! Attacks like this prompted Bill Gates to launch the Trustworthy Computing initiative and current project plans were elongated by 3 months to allow product teams to focus on security. Products under development included Windows Server 2003, Exchange 2003 and SQL Server 2005 - they all benefited from this "strategy".

But what about SQL Injection attacks?

SQL Injection attacks take advantage of poorly coded applications by submitting hidden code "injected" into a seemingly harmless piece of code. The solution is to make sure input fields from an application are fully validated including checking for special characters before they are used in SQL commands. Recently, this vulnerability has emerged in many ASP applications so Microsoft have produced a utility that will check ASP code for potential vulnerabilities.

Microsoft Source Code Analyzer for SQL Injection:

Check it out!

SQL Server 2008 may not come in August after all

Microsoft SQL Server is a relational database management system whose primary query language is Transact-SQL. The latest version of the Microsoft database platform is Microsoft SQL Server 2005 SP2, but Microsoft has for a while now been working on what was previously codenamed Katmai. Microsoft is planning to release the long-awaited Microsoft SQL Server 2008 (overview) sometime during the third quarter of this year.

At the Microsoft Worldwide Partner Conference, the company announced to partners that the new version is now listed on the August price list. Pricing is to remain the same as it is with SQL Server 2005. Various news sites took this information and ran with it: many began to report that SQL Server 2008 was becoming available in August, but this is not necessarily true.

Microsoft is still expecting the new version to arrive sometime in Q3. As Andrew Fryer put it on his blog: "Bottom line—It will be out sometime in Q3 when it’s ready," the fact that it is available on August's price list does not guarantee that it will become available then. It is entirely possible that the new version will launch just at the end of Q3 (late September), and even then, you can never rule out delays with Microsoft. Currently, the latest build is RC0 (released in early June). Once it is finally released, Microsoft has previously said that SP3 for SQL Server 2005 will arrive, hopefully in Q4.

Monday, June 16, 2008

Windows IT Pro and SQL Server Magazines Announce Their Best of Tech Ed IT Pro Awards

Windows IT Pro magazine and SQL Server Magazine announced the winners of their Best of Tech Ed 2008 IT Professional Awards yesterday evening. Jeff Lewis, the Group Publisher of the Windows IT Group, presented the awards at a ceremony at Universal Studios in Orlando. Out of over 223 product nominations that were received for the Best of Tech Ed Awards, editors chose 29 finalists in nine categories.

Winners were chosen based on innovation, competitive advantage, and value to customers.

In the Messaging category, the winner is Azaleos OneServer Virtual Edition. Our judges liked the features of this innovative virtual appliance, ranging from its polished interface to its wealth of management and analysis options.

The winner in the Business Intelligence category is SoftArtisans OfficeWriter. OfficeWriter can connect to SQL Server, Analysis Services, and other databases and deliver fully functional Microsoft Excel and Word documents over the Web.

In the SharePoint category, the winner is the AvePoint DocAve Software Platform. SharePoint use is exploding, and the DocAve Software Platform provides an integrated environment for SharePoint management, disaster recovery, and real-time backup.

In the Hardware, Networking, and Storage category, the winner is Strangeloop WS1000. The WS 1000 can increase the performance of Web services by an order of magnitude. Its advanced caching technologies enable plug-and-play performance optimization without requiring any changes to the Web services application code.

In the Database Administration category, the winner is SQL diagnostic manager. SQL diagnostic manager provides the ability to monitor SQL Server performance as well as diagnose and analyze performance problems.

In the Productivity and Collaboration category, the winner is Colligo Contributor Pro. Giving users access to company information on the road is essential, and Colligo Contributor Pro allows users to access and edit Microsoft SharePoint content both online and offline.

In the Security category, the winner is Trend Micro ScanMail for Microsoft Exchange. ScanMail for Microsoft Exchange provides comprehensive e-mail security including anti-virus, anti-spyware and zero-day virus protection.

In the Virtualization category, the winner is VMware Virtual Infrastructure 3. Virtualization is taking the IT world by storm, and VMware has been driving that change more than anyone.

In the Systems Management and Operations category, the winner is Athena by Odyssey Software. Athena is a management solution for Windows-based mobile devices. The product seamlessly integrates into the Microsoft System Center management interface to provide remote tools, extended asset reporting, and provisioning for mobile devices in the enterprise.

The Breakthrough Product award winner is Quest Software’s PowerGUI, a scripting and command shell platform that enhances ease of use of Windows PowerShell.

This year's Attendees' Pick award winner is Syntergy Replicator for SharePoint.

Delayed SQL Server 2008 hits release phase

Microsoft's delayed SQL Server 2008 has inched closer to daylight, with the company's first release candidate (RC) code.
SQL Server 2008 RC 0 has been made available in three editions - the full database, Express and Express Advanced. Also released for testing is the SQL Server 2008 Feature Pack, consisting of installation packages, with 15 new components.
document.write('\x3Cscript src=";cta='+cta+';ctb='+ctb+';ctc='+ctc+';sc='+sc+';cid='+cid+';'+RegExCats+GetVCs()+'pid='+RegId+RegDT+';'+RegKW+';test='+test+';pf='+RegPF+';dcove=d;tile='+tile+';sz=336x280;ord=' + rand + '?" type="text/javascript">\x3C\/script>');

Calling RC 0 a "milestone", server and tools chief Bob Muglia told Microsoft's TechEd in Orlando, Florida, that the company is "very close" to shipping its delayed database. "It's in great shape," he said.
Microsoft was originally due to launch SQL Server 2008 at the end of last year. That was pushed back to February 27, with launch timed to coincide with Windows Server 2008 and Visual Studio 2008. In January, the release was again pushed back to the third quarter

Friday, May 16, 2008

Not Going Closed Source?

MySQL is one of the most popular databases in use today, a popularity that has been driven by the open source community. Some in the community, however, are taking issue with exactly how open MySQL actually is as fears about the future of the open source database grow.
At stake and at issue are the $1 billion dollars Sun has invested in MySQL. As community members question Sun's intentions, MySQL defends its turf.

This week Sun's MySQL division preannounced the release of MySQL 5.1, which is expected to be available in June. The actual release is months behind schedule and follows the last major MySQL release, MySQL 5.0, by two and half years.
MySQL also announced some new features for MySQL 6, currently in Alpha development.

MySQL Backs Off Closed Source Plan

MySQL has backed off a plan to charge for some encryption and compression backup widgetry in the next version of the database – and, heavens, NOT OPEN SOURCE THE STUFF, an idea it trotted a few weeks ago and predictably caught hell for.
Sun, which bought MySQL for a billion dollars, a good reason to try to make some of the money back, took the rap.
MySQL’s community relations VP Kaj Arno says on a blog that the features will be open sourced after all, admitting “a change in direction” and absolving Sun of complicity in the, um, miscalculation. Sun gets enough bad press.

“The change,” he writes, “comes from MySQL now being part of Sun Microsoft. Our initial plans were made for a company considering an IPO, but made less sense in the context of Sun, a large company with a whole family of complementary open source software and hardware.”
That is not to say, MySQL won’t try again. Arno says “To financially support MySQL’s free and open source platform, we have a business model which allows both community and commercial add-ons, and we remain committed to it….expect Sun/MySQL to continue experimenting with the business model, and with what’s offered for the community and what’s offered commercial-only.”

MySQL backtracks on closed-source plan

"MySQL Server is and will always remain fully functional and open source," said Kaj Arno, MySQL's vice president of community relations, in a statement released on his website on Tuesday. "So will the MySQL Connectors, and so will the main storage engines we ship."
In effect, MySQL has changed its plans for forthcoming encryption and compression backup features that it had planned to ship under a proprietary licence, and will now release the features with open-source licences, Arno said. He also confirmed that pending backup functionality in MySQL 6.0 and the MyISAM driver for MySQL Backup will be open source.
The announcement is a step back from plans announced last month by Marten Mickos, former chief executive of MySQL and now a Sun vice president.

MySQL in a Nutshell, Second Edition--New from O’Reilly: Updated Reference Keeps Pace with MySQL’s Growth and Changes

Sebastopol, CA�MySQL has held steady as one of the great open source success stories, and there is no indication that this will change in the foreseeable future, in spite of its recent acquisition. "Although MySQL AB has recently been purchased by Sun Microsystems, the software and the organization has remained intact" reports author Russell J. T. Dyer. "The software will only get better now that the company has the money to expand its software engineering department. More importantly, the software will be broadly adopted by larger companies now that it has the backing of a multi-billion dollar company like Sun. Sun can assure large companies, institutions, and governments that MySQL is here to stay and that it’s fully supported"

MySQL aficionados confirm that this is indeed the case, making the new second edition of Dyer’s book, MySQL in a Nutshell (O’Reilly, US $34.99) even more timely. "There have been several changes to MySQL since the first edition: in particular the stabilization of version 5.1 of MySQL" says Dyer. "I wanted to expand the book to include the changes and improvements to MySQL. This new edition includes the many new features such as stored procedures, stored functions, triggers, and views